Education Center - PKI Management Common Mistakes

PKI

PKI Management Common Mistakes

The Worst PKI Certificate Management Mistakes You Can Make Without Realizing It

PKI—or Public Key Infrastructure, the basis for encrypted communications on the internet—is a complicated field that takes specialized training to master. Not every company is large enough to hire their own PKI expert to make sure their website is secure for customers to visit, but with nearly every business communicating and handling transactions online, all those businesses needs that expertise.

Frequently, the professionals that companies get to handle the keys and certificates necessary for PKI are a little out of their depth. That’s not to say they’re not capable or qualified—it’s just difficult to master an entire field of PKI cyber security when it’s not your specialty. It’s like having the electrician show up at a construction project and asking them to do the plumbing. They may have some basic understanding, and they may have seen some of it done, but that’s not what they were trained to do.

That doesn’t mean you can ignore PKI management, though. Not knowing PKI best practices doesn’t exclude you from needing to follow them. It’s easier said than done, though, when you don’t know what those best practices are. To help you bridge that knowledge gap, this article will discuss the biggest mistakes that can be made in PKI management, and how to avoid them.

Using Outdated Security Protocols

Since the creation of HTTPS by Netscape back in 1994, there have been a lot of changes to the cryptography. HTTPS started with the SSL (Secure Sockets Layer) protocol to encrypt communications. Exploits and weaknesses in the protocol mandated something more secure, however, and after widespread adoption of HTTPS, we began migrating from SSL to TLS (Transport Layer Security). Since then, there have been several iterations of TLS protocols, from 1.0 to 1.3 (which is currently a draft).

That’s not the only way the security of HTTPS has changed since its inception. Over the past half a dozen years, nearly every protocol or system used to secure HTTPS transmissions has been compromised or outdated. Here are some best practices regarding these protocols:

Migrate from SSL to at least TLS 1.1 or better

Ditch RC4 and use one of the more secure alternatives

Use SHA-2 or better

Using Keys That Are Too Short

In PKI, keys are used to encrypt and decrypt information, so that interlopers can’t steal the data passing between two parties. PKI is asymmetric encryption, which means that there’s a public key and a private key, and what’s encrypted by one key has to be decrypted by the other. This setup effectively protects information from prying eyes. That is, as long as malicious users don’t have a way to get the private key.

There are two ways for a hacker to get their hands on a private key: steal it (which we will discuss later), and guess it. Because these keys are just mathematical algorithms, it’s feasible for a hacker with adequate hardware to reverse the algorithm and determine the base values. It’s not easy, but sometimes it’s possible.

The difficulty of guessing (i.e. cracking) a given private key is dependent on how long the key is, and how many bits it takes to store the key. The longer and more complicated the key, the harder it is to crack. The problem is, as technology and methods improve, it becomes easier and easier to guess private keys, necessitating an increase in the size and complexity to maintain key security.

Using Self-Issued Keys & Certificates

Normally, keys and certificates (numerical identifiers that prove a website is who they say they are, and not a hacker disguised their system) are obtained from a trusted third party, called a Certificate Authority (or CA). Sometimes, though, an organization might issue its own keys and certificates.

The most common reason for this is for testing purposes. Developers will issue themselves a certificate or use a key to test software, intending to replace it later with a more secure one from a certificate authority. It’s a common practice, and it doesn’t cause any harm by itself. The problem arises when those certificates and keys are used externally, and provided to the end user. Once they go into circulation and regular use, they can prove very dangerous, for several reasons.

First, test certificates aren’t usually as robust as ones issued by a CA (see our previous section on key length), making them easy to crack, and then fake. Second, they aren’t usually stored securely, either (more on this later). Third, because they’re self-issued, they can be difficult to discover after the fact when you want to address PKI security, leaving you vulnerabilities that hide in your blind spot.

Not Storing Keys & Certificates Securely

Now, about the stealing of keys we mentioned. In many cases, it’s really easy to just steal the original keys and certificates directly. This is because not every company stores all of their sensitive PKI data securely. Frequently, they’re kept in a spreadsheet in plaintext and stored on a flash drive, normal hard drive, or another easily accessible storage medium, without so much as a Hardware Security Module (HSM) to protect it.

And, unless you have policies in place determining who can obtain keys and certificates, and who access to them, they’re easy to copy or otherwise smuggle out. With something as valuable as keys and certificates, you’re facing both internal and external theft, and either threat is capable of doing serious damage.

If a malicious user gets their hand on that PKI information, they can easily steal sensitive information from other users when they go to the website, or they can trick people into downloading malware by making their browser think the company made the software. It puts the customers at risk, and can severely damage a company’s reputation.

Not Rotating PKI Certificates & Keys Frequently

If you’re worried someone has stolen your password, it’s a good idea to change it. If you to ensure the security of your login, you’ll change it regularly regardless. The same goes for certificates and keys. Changing them frequently helps to counteract their theft or cracking, meaning that even if a hacker has gotten access to them, what they have will be outdated soon.

It’s a common practice to rotate certificates. CAs often enforce it by setting an expiration date for certificates, so that they have to be renewed every so often. Many companies only renew them when they have to, though, which is not nearly as frequently as they should. To achieve optimal security, certificates should be changed out in intervals less than six months long.

Even if certificates are being switched out, very few will similarly rotate their keys. Keys don’t have expiration dates, like certificates, so their replacing is not enforced. The problem with this is that if a hacker has the key, the certificate is somewhat irrelevant—they can build their own certificate and successfully fool devices into thinking the hacker is the actual website that they stole the key from. Changing keys regularly can prevent this, but it’s a best practice that’s not often followed.

Not Using Automation

Automation, in any application, is intended to improve efficiency and decrease human error. It’s no different in PKI management. Automation can help you renew your certificates and keys. It can also track and store data related to them, like how many keys and certificates you have, what they are, who requested them and for what purpose, who has access to them and when they use that access, and more.

Best of all, automation limits how many times an actual human has to interact with the keys and certificates, cutting down on human error. The problem is that very few organizations actually use this automation in their PKI management. That may be because they don’t know what it is, or what it can be used for, or because they don’t think it will be necessary. The fallback option is to have a human run the system, and that tends to result in defaulting to unsecured and unreliable practices.

Solution: Centralized PKI Management

Designing a public key infrastructure is a little like building a house—if you want it to be structurally sound and dependable, you need to plan it out, and adhere to codes. Like any industry, PKI design has best practices, and to make the infrastructure secure they need to be treated like law. Company policies then need to be set regarding things like who is responsible for PKI management, who is allowed to request keys and certificates, where they are stored, and how frequently to renew them. Then those policies need to be followed and enforced.

Centralizing PKI management this way (especially for larger organizations, who may have thousands of certificates to manage) is the only effective way to ensure the security of a given system. Disorganization and lack of accountability only breed vulnerabilities, and it’s only a matter of time before someone (internally or externally) exploits them.

You don’t have to understand hashing algorithms or elliptic curve cryptography to realize that a mismanaged system is a liability. And, with the average cost of a cybersecurity breach reaching as high as $3.62 million, it’s a liability that few businesses can afford.

Are you ready to take action and start getting serious about your PKI management? Talk to the pros at Venafi. We can help you identify weaknesses in the system and build an infrastructure that maintains the privacy of your users.

End User License Agreement

PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).

This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.

You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.

This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.

The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.

Definitions

“Your Data” means electronic data and information submitted by or for You to the Service or collected and processed by or for You using the Service.

License Grants and Restrictions

License Grant by Venafi to You. Venafi grants to You a limited, non-exclusive, non-transferable, non-assignable, limited license (the “License”) to access and use the Service during the applicable License Term set out in Section 2.2 below, in accordance with the instructions contained in the user documentation that accompanies the Service (“Documentation). Venafi hereby grants to You the right to use the Documentation solely in connection with the exercise of Your rights under this Agreement. Other than as explicitly set forth in this Agreement, no right to use, copy, display, or print the Documentation, in whole or in part, is granted. This license grant is limited to internal use by You. This License is conditioned upon Your compliance with all of Your obligations under this Agreement. Except for the express licenses granted in this Section, no other rights or licenses are granted by Venafi, expressly, by implication, by way of estoppel or otherwise. The Service and Documentation are licensed to Licensee and are not sold. Rights not granted in this Agreement are reserved by Venafi.

License Term.

Venafi Cloud Risk Assessment Service. If you have registered to access and use the Venafi Cloud Risk Assessment Service, Your right to use the Venafi Cloud Risk Assessment Service is limited to ninety (90) days from the date You first register for the Service, unless otherwise extended on Your agreement with Venafi.

Venafi Cloud for DevOps Service. If you have registered to access and use the Venafi Cloud for DevOps Service, Your right to use the Venafi Cloud for DevOps Service shall extend indefinitely and may be terminated by either You or Venafi at any time for any reason.

Restrictions on Use. The grant of rights stated in Sections 2.1 and 2.2, above, is subject to the following restrictions and limitations:

If You have registered to access and use the Venafi Cloud for DevOps Service, You must use SSL/TLS certificates issued to you at no charge through the Service for development and testing purposes only, and You are strictly prohibited from using such SSL/TLS certificates in a production environment or in any production capacity. If you are registered with a public Certification Authority (“CA”) supported by the Service and have valid credentials issued by such CA with which you can subscribe to such CA’s SSL/TLS certificates on a fee bearing basis for use in production environments, You may request such certificates through the applicable interface present in the Service by using such credentials. In such instance, the fee bearing certificate(s) will be issued to You by the CA and any access to or use of such certificates by You will be subject to the terms and conditions set out by the CA. No fees will be paid to or processed by Venafi in this case. The use of DigiCert issued certificates shall be subject to the Certificate Services Agreement published by DigiCert at https://www.digicert.com/docs/agreements/Certificate-Services-Agreement.pdf, which terms are hereby incorporated by reference.

You shall not use (or cause to be used) the Service for the benefit of any third party, including without limitation by rental, in the operation of an Applications Service Provider (ASP) service offering or as a service bureau, or any similar means.

You shall not distribute access to the Service, in whole or in any part, to any third party or parties. You shall not permit sublicensing, leasing, or other transfer of the Service.

You shall not (a) interfere with or disrupt the integrity or performance of the Service or third-party data contained therein, (b) attempt to gain unauthorized access to the Service or its related systems or networks, (c) permit direct or indirect access to or use of the Service in a way that circumvents a contractual usage limit, or (d) access the Service in order to build a competitive product or service.

License Grant by You. You grant to Venafi and its affiliates, as applicable, a worldwide, limited-term license to host, copy, transmit and display Your Data as necessary for Venafi to provide the Service in accordance with this Agreement. Subject to the limited licenses granted herein, Venafi acquires no right, title or interest from You or any of Your suppliers or licensors under this Agreement in or to Your Data.

Ownership

Venafi Materials. Venafi and/or its suppliers have and shall retain ownership of all right, title and interest in and to the Service and the Documentation and all intellectual property rights embodied in the Service and Documentation, including without limitation any patents, copyrights, trademarks and trade secrets in the Service and any modifications and/or derivatives thereof, whether or not made at Licensee’s request, and all know-how, concepts, methods, programming tools, inventions, and computer source code developed by Venafi (collectively, “Venafi Materials”).

Limited Feedback License. You hereby grant to Venafi, at no charge, a non-exclusive, royalty-free, worldwide, perpetual, irrevocable license under Your intellectual property rights in and to suggestions, comments and other forms of feedback (“Feedback”) regarding the Service provided by or on behalf of You to Venafi, including Feedback regarding features, usability and use, and bug reports, to reproduce, perform, display, create derivative works of the Feedback and distribute such Feedback and/or derivative works in the Service. Feedback is provided “as is” without warranty of any kind and shall not include any of Your confidential information.

Disclaimer of Warranties

EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION 4, THE SERVICE AND DOCUMENTATION ARE PROVIDED “AS-IS,” WITH “ALL FAULTS” AND “AS AVAILABLE,” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, ACCURACY, RELIABILITY, OR NONINFRINGEMENT WHETHER ARISING FROM COURSE OF DEALING, USAGE, TRADE PRACTICE OR ANY OTHER MANNER. VENAFI IS NOT OBLIGATED TO PROVIDE ANY UPDATES, UPGRADES OR TECHNICAL SUPPORT FOR THE SERVICE. VENAFI DISCLAIMS ALL LIABILITY AND INDEMNIFICATION OBLIGATIONS FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD-PARTY HOSTING PROVIDERS. In no event does Venafi warrant that the Service is error free or that You will be able to operate the Service without problems or interruptions. Some jurisdictions do not allow the exclusion of implied warranties and to the extent that is the case the above exclusion may not apply.

Limitation of Liability

IN NO EVENT WILL VENAFI OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE SERVICE EVEN IF VENAFI OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Some jurisdictions do not allow the limitation or exclusion of liability for incidental or consequential damages and to the extent that is the case the above limitation or exclusion may not apply to You.

Term and Termination

This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.

Compliance With Laws

Violation of Laws. You shall not knowingly take any action or omit to take any action where the reasonably predictable result would be to cause Venafi to violate any applicable law, rule, regulation or policy and, to the extent not inconsistent therewith, any other applicable law, rule, regulation and policy.

Governing Law

This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.

General

This Agreement is binding on You as well as Your employees, employers, contractors and agents, and on any permitted successors and assignees. Except if otherwise superseded in writing by a separately executed agreement, this Agreement is the entire agreement between You and Venafi with regard to the License granted hereunder, and You agree that Venafi will not have any liability for any statement or representation made by it, its agents or anyone else (whether innocently or negligently) upon which You relied in entering into this Agreement, unless such statement or representation was made fraudulently. This Agreement supersedes any other understandings or agreements, including, but not limited to, advertising, with respect to the Service. If any provision of this Agreement is deemed invalid or unenforceable by any country or government agency having jurisdiction, that particular provision will be deemed modified to the extent necessary to make the provision valid and enforceable and the remaining provisions will remain in full force and effect. Should such modification be impractical or denied, You and Venafi shall thereafter each have the right to terminate this Agreement on immediate notice.

Survival. The parties agree that the rights and obligations set forth in the above-referenced Section 1 (Definitions), 3 (Ownership), 4 (Disclaimer of Warranties), 5 (Limitation of Liability), 6 (Term and Termination), 7 (Compliance with Laws), 8 (Governing Law), and 9 (General) shall survive the termination of this Agreement for any reason and enforcement thereof shall not be subject to any conditions precedent.

Assignment. This Agreement shall be binding upon and inure to the benefit of the parties’ respective successors and permitted assigns. You shall not assign this Agreement or any of Your rights or obligations hereunder without the prior written consent of Venafi and any such attempted assignment shall be void.